MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e
SHA3-384 hash: 274b9d5df2acabb4c07af613f20bce883cdcd51486bd4ddfef5943bde09ebc256ac208adbe2eb639b29f084fde080b0c
SHA1 hash: f4265d77dce5b80c23c2b0da97b037c77d4443f5
MD5 hash: 9f3752615bd50cf858b6f18854f67580
humanhash: wolfram-earth-steak-hydrogen
File name:Booking vouchers.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:590'336 bytes
First seen:2021-03-10 06:59:37 UTC
Last seen:2021-03-10 08:50:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:XIRziBG4UoX/ULFH1F4LtKm8NiLLmc3l77xRjptsHTv/aTCek:2sG4UoX/UwgJc177xlptsHTv/YC
Threatray 119 similar samples on MalwareBazaar
TLSH CEC4E0B112F6F658E27924B5C0FD08304EAAE602B6BAC5AC592732EF0FF13951D54BC5
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: franceloc-postfix.filnet.fr
Sending IP: 194.187.193.118
From: Marmot Tours <info@wip-hausschutz.de>
Reply-To: hg.virtucycling@gmail.com
Subject: Group rooming list PT 1422
Attachment: Booking vouchers.rar (contains "Booking vouchers.exe")

RemcosRAT C2:
donjon555.hopto.org:2404 (185.19.85.134)

% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Booking vouchers.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 07:00:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec99354b-8a59-4842-8107-e9165d41bd13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123473/
Detection(s):
SecuriteInfo.com.Artemis9F3752615BD5.15135.11987.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a file
DNS request
Connection attempt
Creating a file in the %AppData% subdirectories
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/633919
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 365931 Sample: Booking vouchers.exe Startdate: 10/03/2021 Architecture: WINDOWS Score: 100 35 donjon555.hopto.org 2->35 37 donjon555.ddns.net 2->37 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Detected Remcos RAT 2->49 51 9 other signatures 2->51 8 Booking vouchers.exe 1 2->8         started        12 System32.exe 1 2->12         started        signatures3 process4 file5 33 C:\Users\user\...\Booking vouchers.exe.log, ASCII 8->33 dropped 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 PowerShell case anomaly found 8->57 14 AppLaunch.exe 8->14         started        17 powershell.exe 14 8->17         started        20 AppLaunch.exe 2 3 8->20         started        59 Injects a PE file into a foreign processes 12->59 23 AppLaunch.exe 12->23         started        signatures6 process7 dnsIp8 61 Contains functionality to steal Chrome passwords or cookies 14->61 63 Contains functionality to capture and log keystrokes 14->63 65 Contains functionality to inject code into remote processes 14->65 71 2 other signatures 14->71 27 C:\Users\user\AppData\...\System32.exe, PE32 17->27 dropped 29 C:\Users\...\System32.exe:Zone.Identifier, ASCII 17->29 dropped 67 Drops PE files to the startup folder 17->67 69 Powershell drops PE file 17->69 25 conhost.exe 17->25         started        39 donjon555.hopto.org 185.19.85.134, 2404, 49708, 49709 DATAWIRE-ASCH Switzerland 20->39 41 donjon555.ddns.net 20->41 43 192.168.2.1 unknown unknown 20->43 31 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 20->31 dropped file9 signatures10 process11
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 07:00:11 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcii5422hhlcswq3k523bdzpisz4z6wyx3dl6tskaz2cr3mveyxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
RemcosRAT
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
RemcosRAT
8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f
RemcosRAT
b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
d94560cd6d50d7d21e77bc064c508f5569329d6c2a074859ba3b1ea2f64142ec
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
+ 109 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210310-xqr5vk4rc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
C2 Extraction:
donjon555.hopto.org:2404
donjon555.ddns.net:2404
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/773b7ac6-4607-4a15-850f-7209014cc591/
SH256 hash:
d2a4a16c16d4d7e5de662d0f028d98211be911aeb5aa68a5f410dcdca89f4f25
MD5 hash:
6096349029085717c3683615a62aaf96
SHA1 hash:
8a9e621a12a0c2819e96e6b0f1a2c0b3d8d311fa
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/773b7ac6-4607-4a15-850f-7209014cc591/
SH256 hash:
88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e
MD5 hash:
9f3752615bd50cf858b6f18854f67580
SHA1 hash:
f4265d77dce5b80c23c2b0da97b037c77d4443f5
Link:
https://www.unpac.me/results/773b7ac6-4607-4a15-850f-7209014cc591/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar f25cf2ad4299df6cf65790e043f4aa0064cc00eb17ed02b910de29ce99ca31dd

RemcosRAT

Executable exe 88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e

(this sample)

  
Dropped by
MD5 74abdb77055ac434b1c9f486d497ff0c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123473/
  
Dropped by
SHA256 f25cf2ad4299df6cf65790e043f4aa0064cc00eb17ed02b910de29ce99ca31dd

Comments